Encryption strenght with SQL Server self-signed certificate

Similar Messages

• Problems with Creating a self-signed Certificate

  hi,
  I read the keytool Documentation and wanted to create my own self-signed certificate.
  ok, I followed the steps :
  1) keytool -keyclone -alias origkey -dest my_key
  2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
  3) keytool -certreq -alias my_key (output in mycert.cer)
  4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
  .. Password Input...
  Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
  But it exists, see :
  [usr]$ keytool -list
  Keystore-Typ: jks
  Keystore-Provider: SUN
  new_key, 06.05.2003, keyEntry,
  So it exists, but why do I get the error ?
  So far,
  Stefan Gross

  stefan hi,
  i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
  and then using the keystore you can create as many certificates as possible based on the key pair.
  try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
  hope this time it'll work, let me know.
  cem.
  note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
  To set up a digital certificate,
  Generate a key pair.
  The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
  To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
  keytool -genkey -keyalg RSA -alias tomcat-server
  -keystore <keystore_filename>
  The keytool utility prompts you for the following information:
  Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
  First and last name--Enter the appropriate value, for example, JWSDP.
  Organizational unit--Enter the appropriate value, for example, Java Web Services.
  Organization--Enter the appropriate value, for example, Sun Microsystems.
  City or locality--Enter the appropriate value, for example, Santa Clara.
  State or province--Enter the unabbreviated name, for example, CA.
  Two-letter country code--For the USA, the two-letter country code is US.
  Review the information you've entered so far, enter Yes if it is correct.
  Key password for the Web server--Do not enter a password. Press Return.
  The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
  Creating a Self-Signed Certificate
  This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
  Export the server certificate to a certificate file:
  keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
  Enter the password (changeit).
  Keytool returns the following message:
  Certificate stored in file <server.cer>
  Import the new server certificate into the Certificate Authority file cacerts.jks:
  keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
  -file server.cer
  Enter the password (changeit).
  Keytool returns a message similar to the following:
  Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Serial number: 3e39e3e0
  Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
  Certificate fingerprints:
  MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
  SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  ----------------------------------

• Can we connect Outlook with Exchange 2013 with the default Self-signed certificate?

  Hi,
  the question is very simple, but after several days searching in this forums and in the web I have not been able to find a definitive answer YES or NOT. I know that Self-signed certificates are not for a production enviroment and only for labs and we must
  purchase a third party certificate or get one from a internal CA.
  Anyone can answer this question with no doubt?
  Thanks in advance!
  jspt

  Hi Abhi,
  I wrote this question because in a recent migration to 2013 from 2007 we've found with this problem: you can view it in the post http://social.technet.microsoft.com/Forums/exchange/en-US/1ddd1e81-1061-4461-95dd-13de653ef8fe/outlook-cant-connect-with-exchange-2013-after-migration-from-exchange-2007?forum=exchangesvrdeploy.
  Also I have installed a new exchange 2013 in a lab enviroment and I also have unabled to connect from a Outlook 2013. The problem is the same Outlook is unable to detect the exchange server. Many people in this forums told me that have to be a certificate
  problem and for that I posted this question. Honestly, I don't know how to do for Outlook can be connect with Exchange 2013. I don't know what I'm doing wrong.
  Anyway thanks for your answer.
  jspt

• Getting self-signed certificates working with mail

  Hi all,
  I am having trouble getting email certificates created with keychain access to work in mail.
  According to the Leopard help file, you simply have to go to Keychain access and create the certificate, which I did. After that if you create a message in mail with that account, there should be an icon showing that the message will be signed or encrypted if you have the recipients certificate installed. I cannot seem to get this to work. I have created the certificates specifically for email, the certificate shows in Keychain as well as a public and private key entry, but mail refuses to see it.
  Has anyone gotten this to work with Mail and self-signed certificates?
  Any help would be most appreciated.
  Thanks,
  RacerX

  Have you tried setting the "Always trust" property? Double click the certificate in Keychain Access and allow it to have always trust for email.
  Also, make sure that bundles are enabled for mail.
  (Forget the command, google for "defaults write com.apple.mail enableBundles")
  That did it for me.
  Br,
  T

• Avoid an alert with using self-signed certificate

  Hi
  I want to publish a free product and I would like to use a free self-signed certificate
  But during installing, the Adobe Exstension Manager shows an alert
  Where is a way how to avoid this alert with using a self-signed certificate (I generated certificate with help of Adobe Exchange Packager) or I should only use a paid code-signed certificate?
  Best regards
  Maxim

  As I understund, "Show warning when instaling..." this option available only for end user in Exstantion manager, right? It means there is no way how to switch off this warning if I use ucf.jar tool for packing ZPX and an user uses default setting on this end. When, only one way is left - to buy a payed certificate, even for free product. Correct?

• Use self signed certificate

  Hi,
  I have got a theoretical question: Is it right to use self-signed certificate in production environment?
  We don't want to use this cert. for authentication but for SSL decryption. Is this a good solution?
  Thanks!
  V.

  Hi Rick,
  May be I was not completely clear in my wordings :)
  VPN connection is not a mandate. The VPN connection already existed between our organization and the provider service (instead of going over the internet) and hence the security person in our organization was fine with us using self signed certificates.
  I gave you a scenario where the use of self signed certs was authorized. And also once more scenario where using self signed certs in test environments is not allowed.
  Two contrasting thoughts, so basically it is up to the perception of the security people to assess the risk and give a go ahead.
  Personally I feel that if the communication channel is secure between the systems (2 way ssl) then using self signed certs for message encryption might be fine.
  If the channel is not secured (may be even 1 way SSL), I would prefer using CA certified certs.
  Hope I make more sense now :)
  Thanks,
  Patrick

• DS6.3 replication and sun self signed certificate

  1. I am creating a replication agreement using the dscc and am prompted to choose:
  Authenticate using simple authentication and use a non-secure connection
  Authenticate using simple authentication and use a secure connection
  Authenticate using a certificate and use a secure connection
  I would like to choose the second option "Authenticate using simple authentication and use a secure connection" since I am replicating to another company division on another subnet in another building.
  Does this option take into account the installed certificates? Can I do this with a sun self signed certificate that I got by default at install? And if so can I renew it if it is expired?
  In my deployments I have used my own self signed certs and store bought certs. Since I know the other server has the sun cert, I was thinking I could just use that, and not do any root cert exchanges.

  Yes, you can. By default the certs that come when instance is created expire in 90 days and you can renew the cert easily using certutil. But you have to change the cert's trust properties so it can be used as a client as well.
  It's best you use CA signed certificates that last for longer, that way you can use it with normal apps as well. If this does not help, please post again.
  http://docs.sun.com/app/docs/doc/820-2763/bcarh

• Xcode continuous integration, Subversion and self-signed certificate won't work altogether.

  Hi!
  I've installed on MacMini Maverick OS with OSX Server.
  Then I've configured the Xcode continuous integration with Subversion (using self-signed certificate), also created bots and etc.
  But It won't work.
  Attached is the log:
  Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:717 7c087310 +0ms] revision: (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:718 7c087310 +0ms] log: (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:719 7c087310 +0ms] checkoutError: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSCheckoutOperation.m:732 7c087310 +0ms] Error in SVN checkout Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} <stderr>= (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSOperation.m:33 7c087310 +0ms] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSOperation.m:28 7c087310 +0ms] Cancelling operation: XCSCheckoutOperation Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSBuildBundle.m:790 7c087310 +0ms] Got an error from the checkout operation: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildBundle.m:850 7c087310 +0ms] Starting upload files operation Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildBundle.m:1018 7c087310 +0ms] Updating bot run status to running, substatus to uploading Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Info>: [CSRemoteServiceClient.m:151 7c087310 +0ms] Connecting to https://localhost:4443/svc to execute [https]Request{AuthService.enterMagicalAuthRealm()} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildHelper.m:97 7c087310 +38ms] Updating bot run with GUID cccf1c74-6c5a-4fff-a57f-5e5bead09457 Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildHelper.m:102 7c087310 +0ms] Updating bot run (cccf1c74-6c5a-4fff-a57f-5e5bead09457): { guid = "cccf1c74-6c5a-4fff-a57f-5e5bead09457"; status = running; subStatus = uploading; } Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Info>: [CSRemoteServiceClient.m:151 7c087310 +0ms] Connecting to https://localhost:4443/svc to execute [https]Request{XCBotService.updateBotRun:({ guid = "cccf1c74-6c5a-4fff-a57f-5e5bead09457"; status = running; subStatus = uploading; })}
  Hope you'll be able to assist me find what I'm doing wrong.
  Thanks in advance.

  Did anyone find a way around this? I have the exact same error and tried the exact same solution.
  The Xcode 5 release notes described a problem that sounds similar.
  Communicating with a remote SVN repository over HTTPS can fail with an error similar to “Error validating server certificate for server name.” Edit the file /Library/Server/Xcode/Config/xcsbuildd.plist and change the TrustSelfSignedSSLCertificates key from false to true. Then, from a Terminal window, run: sudo killall xcsbuildd. 14639890
  https://developer.apple.com/library/ios/releasenotes/DeveloperTools/RN-Xcode/Cha pters/xc5_release_notes.html
  I haven't found a similar fix for Xcode 6 though.

• J2me Code Signing:Self Signed Certificate VS Unknown Certificate VS No Cert

  Hello all,
  I have Developed a j2me Application which i want to digitally sign with a Certificate
  that i am going to buy from Verisign.The application is simply doing http/https connections.
  My questions are:
  (1) Which tool should i use? WTK 2.5.2 signing tools or something else like openssl?
  (2) In which Security domain should i include My certificate? identified_third_party or something else?
  Additionally lets say that the Phone in which i am going to install my application for some reason does NOT
  CONTAIN the appropriate ROOT Certificate from Verisign (in which belongs the certificate that i will buy)
  The (Crucial) Questions are:
  (A)What will happen if i will try to install my signed Midlet in a handset not containt Verisign Root Certificate?
  will be installed or no installation at all will take place?
  (B)What will happen if i sign my Midlet with one a "Self Signed" Certificate and install it to my Handset?
  Finally what must be my decision for Handsets that do not include the Appropriate Verisign ROOT Certificate?
  (a)Sign My Application with the Certificate that i will buy From Verisign?
  (b)Sign My Application a "Self Signed" Certificate?
  (c)Do not Sign the application at all?
  (d)Buy A second Certificate from another CA authrity ie thawte
  Please HELP!
  Thanks
  NiKolaos

  (1) Which tool should i use? WTK 2.5.2 signing tools or something else like openssl?
  (2) In which Security domain should i include My certificate? identified_third_party or something else?Did you check the WTK User Guide ? In my version WTK (2.5.1), guide contains quite a large chapter *"Security and MIDlet Signing"* explaining how to use various WTK utilities.
  As far as I can tell, this chapter in particular describes how to emulate real world usage with WTK, for example how to create a key pair and sign a MIDlet (for testing purposes only) and how to emulate real world certificates management (again, for testing purposes).
  This chapter also describes toolkit procedure for signing MIDlet suites with real keys and how to import certificates.
  Chapter also contains sections explaining security policies and protection domains.

• SQL Server 2008 self-signed certificate is 1024bit or 2048bit?

  When there is no user defined certificate available, SQL Server will generate a self-signed certificate when service starts, We have a tool scans and finds that in SQL 2005 the self-signed certificate is 1024bit,  does someone know the default self-signed
  certificate is still 1024bit or is it 2048bit in SQL 2008? Thanks a lot!!!

  I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.
   Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted
  in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.
   The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.
  After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed
  certificate created by SQL Server for data in transit transmission.
  BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.
  I hope this information helps,
  -Raul Garcia
   SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• How to register iOS device when using self signed certificate with apple Server?

  Hi,
  I have installed the server.app by Apple and used a slef signed certificate for my server. Now I want to register my different devices (iMac, iPhone etc.). I could register the iMac without problesm (I just had to add my self signed certificate to the trusted certificates)
  Sadly, with the iPhone it is not that easy. I can install the "trust profile", but still after that I can not register my device. It seems like it does not accept my self signed certificate for device registration. When adding a registration profile, I get the error "www._mydomain_.tld/devicemanagement/api/device/auto_join_ota_service" is not valid.
  Nethertheless, I can install a profile with setting, e.g. my imap settings, via the profile management without problems.
  Does anyone have an idea how to get around the problem with the self signed certificate?
  Best regards

  Try deleting the Server.app and download it again from the App Store, restart.
  My Server is also using self signed certificates and is working with iOS device (Trust Profile needed first).

• In Firefox 4.0 with a Server with a self signed certificate using IPv6 I can not add a "Security Exception" for this certificate.

  In Firefox 4.0 I have a server ... it contains a self signed certificate. Using IPv6 I can not add a "Security Exception" for this certificate.
  1. I log onto the server (using IPv6). I get the "Untrusted connection page" saying "This connection is Untrusted"
  2. I click on "Add Exception.." under the "I understand the Risks" section.
  3. The "Add Security Exception" dialog comes up. soon after the dialog comes up I get an additional "Alert" dialog saying
  An exception occured during connection to xxxxxxxxx.
  Peer's certificate issuer has been marked as not trusted by the User.
  (Error code sec_error_untrusted_issuer).
  Please note that this works in Firefox 3.6.16 (in IPv4 and IPv6). It also works in Firefox 4.0 in IPv4 only IPv6 has an issue. What's wrong?

  Exactly the same problem, except I'm using FF v6 for Windows, not FF v4 as for the lead post. This is for a self-cert which IS trusted, although the error message says it isn't.

• Lion server erased self signed certificate

  Help!!! I accidentally deleted the self signed certificate that had the right keys for my third party SSL.  Now I cannot replace the self signed certificate with the new SSL.  Now what????

  I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.
   Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted
  in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.
   The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.
  After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed
  certificate created by SQL Server for data in transit transmission.
  BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.
  I hope this information helps,
  -Raul Garcia
   SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Backend Encryption with SSL module & Self Signed Cert

  I am trying to configure backend encryption using the SSL module to communicate with a server using a self signed certificate. I configured Authenticate verify none. I have not copied any cert info from the server. Do I need to? The SSL module is complaining about an invalid cert. My config is basic.
  service test-service-cf8-be client
  virtual ipaddr 10.6.1.20 protocol tcp port 80
  server ipaddr 10.6.1.22 protocol tcp port 443
  log-auth-failures
  authenticate verify none
  inservice
  Thanks,
  Dave

  Yes it was up and a debug showed an invalid cert message when the service was hit. The answer turned out to be that you still need to import the root CA from the server so that the SSL mod has something to verify the cert against.
  Thanks..

• Generating Self Signed Certificate for iPlanet Directory Server for testing

  Hi Experts,
  I am unable to find how to generate self signed certificate for iPlanet Directory Server for testing purpose. Actually what i mean is i want to connect to the iPlanet LDAP Server with LDAPS:// rather than LDAP:// for Secured LDAP Authentication. For this purpose How to create a Dummy Certificate to enable iPlanet Directory Server SSL. I searched in google but no help. Please provide me the solution how to test it.
  Thanks in Advance,
  Kalyan

  Here's one I did earlier.
  Refers to Solaris 10
  SSL Security
  add a new certificate that lasts for ten years (120 months).
  stop the instance:
  dsadm stop <instance>
  Remove DS from smf control:
  dsadm disable-service <instance>
  Change Certificate Database Password:
  dsadm set-flags <instance> cert-pwd-prompt=on
       Choose the new certificate database password:
       Confirm the new certificate database password:
  Certificate database password successfully updated.
  Restart the instance from the dscc:
  DSCC -> start <instance>
  Now add a new Certificate which lasts for ten years (120 months; -v 120):
  `cd <instance_path>`
  `certutil -S -d . -P slapd- -s "CN=<FQDN_server_name>" �n testcert �v 120 -t T,, -x`
       Enter Password or Pin for "NSS Certificate DB":
  Stop the Instance.
  On the DSCC Security -> Certificates tab:
       select option to "Do not Prompt for Password"
  Restart the instance.
  On the Security -> General tab, select the new certificate to use for ssl encryption
  Restart the instance
  Stop the instance
  Put DS back into smf control:
  dsadm enable-service <instance>
  Check the smf:
  svcs -a | grep ds
  # svcs -a|grep ds
  disabled Aug_16 svc:/application/sun/ds:default
  online Aug_16 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads
  online 17:04:28 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1